Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1943
Views
0
Helpful
3
Replies

FlexVPN IKEv2 authorization policy: how to use the DNS parameter?

pingduck
Level 1
Level 1

‎12-19-2017 04:25 PM - edited ‎03-12-2019 04:51 AM

I see that there is an option of dns under "crypto ikev2 authorization policy"

 

 

(config-ikev2-author-policy)#?
IKEv2 authorization policy commands:
  aaa                           Specify aaa attribute list
  backup-gateway                Specify backup gateway
  banner                        Specify mode config banner
  configuration                 Push configuration to the client
  def-domain                    Set default domain name to send to client
  dhcp                          Specify DHCP server for config address assignment
  dns                           Specify DNS Addresses
...

 

I also found reference here: https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html

 

Which it says "Specifies the primary and secondary Domain Name Service (DNS) servers that is sent to the client in the configuration reply."

 

I also see on the client, the output is showing the configured DNS:

 

      Local req msg id:  9              Remote req msg id:  0         
      Local next msg id: 9              Remote next msg id: 0         
      Local req queued:  9              Remote req queued:  0         
      Local window:      5              Remote window:      5         
      DPD configured for 55 seconds, retry 2
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is detected inside 
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 172.16.10.74
      DNS Primary: 4.2.2.2
      Remote subnets:
      172.16.4.1 255.255.255.255
      192.168.100.0 255.255.255.0
      10.8.0.0 255.255.0.0
      0.0.0.0 0.0.0.0

However, it is not present in DNS view

 

#show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: cisco.com
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    192.168.1.254
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder timeout: 3 seconds
  Forwarder retries: 2
  Forwarder addresses:

What I want is when site-to-site VPN is established, I want to make sure the DNS request is sent to my Head End Router via the VPN tunnel instead of using the client's default (which may become inaccessible after VPN is up). But it doesn't seem like the "dns" option is doing anything.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

GarethOwen2763
Level 1
Level 1

‎04-25-2022 06:59 AM

did you ever get a solution for this?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-25-2022 08:25 AM

Please share your flexvpn server & client side ikev2 authorization configuration.  

0 Helpful

GarethOwen2763
Level 1
Level 1
In response to Mike.Cifelli

‎04-25-2022 08:33 AM

Everything works (IKEv2 routing, passes traffic) so will just post the bit that is relevant:

 

VPN Gateway

 

 

crypto ikev2 authorization policy PRINT_IKEV2_AUTH_POL
----
 dns 10.10.10.10 10.10.10.20
----

 

 

Remote Site Router:

 

 

show crypto ikev2 sa detailed

-----
DNS Primary: 10.10.10.10
DNS Secondary: 10.10.10.20
-----

 

I have the right gateway config as it works with windows clients and they pick up the DNS just fine. Not sure why the remote site router doesn't use the value sent by the gateway as part of IKE_AUTH to use for DNS queries or which bit of config I need to use to enable that

 

 

0 Helpful
Customers Also Viewed These Support Documents